All Policies
Disallow Capabilities (Strict)
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
Policy Definition
/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-capabilities-strict
5 annotations:
6 policies.kyverno.io/title: Disallow Capabilities (Strict)
7 policies.kyverno.io/category: Pod Security Standards (Restricted)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/minversion: 1.6.0
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/subject: Pod
13 policies.kyverno.io/description: >-
14 Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
15 all containers must explicitly drop `ALL` capabilities.
16spec:
17 validationFailureAction: audit
18 background: true
19 rules:
20 - name: require-drop-all
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 preconditions:
27 all:
28 - key: "{{ request.operation || 'BACKGROUND' }}"
29 operator: NotEquals
30 value: DELETE
31 validate:
32 message: >-
33 Containers must drop `ALL` capabilities.
34 foreach:
35 - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
36 deny:
37 conditions:
38 all:
39 - key: ALL
40 operator: AnyNotIn
41 value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"
42 - name: adding-capabilities-strict
43 match:
44 any:
45 - resources:
46 kinds:
47 - Pod
48 preconditions:
49 all:
50 - key: "{{ request.operation || 'BACKGROUND' }}"
51 operator: NotEquals
52 value: DELETE
53 validate:
54 message: >-
55 Any capabilities added other than NET_BIND_SERVICE are disallowed.
56 foreach:
57 - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
58 deny:
59 conditions:
60 all:
61 - key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
62 operator: AnyNotIn
63 value:
64 - NET_BIND_SERVICE
65 - ''